Python explains the code for NTFS runlist

Last Update:2017-07-01 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The code is as follows:

#!/usr/bin/python3#http://www.frombyte.com  Tommy import osimport sysimport randomimport  Hashlibimport structimport zlibimport re def help_exit ():     Print ("   command format:")     print ("  python3 %s <file name > <start bytes> <start lcn> <start vcn>: " %  Sys.argv[0])     print ("      file name: To interpret the file name containing the runlist ")     print ("       start bytes: In the file to explain the starting position of the Runlist ")     print (" &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;START&NBSP;LCN: Runlist Start Reference LCN value, if it is a complete runlist, this value should be 0. ")     print ("      start vcn:runlist Start reference VCN value, If it is a runlist with no 0x20, the value is mostly 0. ")     print ("      * return value: A two-dimensional queue that prints the results. \ n ")   &Nbsp; exit () #通过抛出异常判断第一个参数是否是A-fdef is_num_by_except (s):    try:         a=int (s,16)         if  (a>0 &NBSP;AND&NBSP;A&LT;=16): return true        else:  return false    except valueerror:         return false    if len (SYS.ARGV)!= 5 :     Print ("  *** parameter number or format error!")     help_exit () if sys.argv[2].isdigit ():     spoi = int ( SYS.ARGV[2])     if spoi<0:      print ("* * * error, The starting byte position cannot take a negative value ")       help_exit () else:    print (" * * * error, The starting byte position should be a nonnegative integer ")     help_exit () If sys.argv[3].isdigit (): &NBSP;&NBSP;&NBSP;&NBSP;SLCN  =&Nbsp;int (Sys.argv[3])     if slcn<0:      print ("* * * Error, starting LCN cannot take negative ")       help_exit () else:    print (" * * * error, Starting LCN should be a non-negative integer ")     help_exit () If sys.argv[4].isdigit (): &NBSP;&NBSP;&NBSP;&NBSP;SVCN  = int (Sys.argv[4])     if svcn<0:       Print ("* * * error, starting VCN cannot take negative value")       help_exit () else:    print ("* * * ERROR, starting VCN should be non-negative integer ")     help_exit () def get_i (Vl,ilen):    q=0     for i in range (0,ilen):         q  = q |  ( vl[0][i] << i*8 )           #若为负数     if vl[0][ilen-1] > 0x80:         q = q -  (1 << ilen*8 )     return qf = open ("% S "%sys.argv[1], ' RB ') F.seek (Spoi) data = f.read (1024x768) v1 = 1i = 0lists =  [[0 for i in range (2)] ]del lists[0]while true:  t =  Struct.unpack_from (' B ', data,i)   v1 = t[0]  if v1 == 0:     break  v1_p =  (v1 & 0xf0)  >> 4   v1_l =  (V1&NBSP;&AMP;0XF)   if  (v1_l >=8)  or  (v1_p >=8)  or  (v1_l == 0):     print ("* * * offset%d:run list length and position byte with error!***"% (i+ Spoi)     break  i = i+1  if  (i+8)  >= 1024 :     break  t = struct.unpack_from (' 8s ', data,i)   v1_dl  = get_i (t,v1_l)    if v1_dl < 0:    print ("* * * Offset%d:run fragment length cannot be negative!***"% (i+spoi))      break     i = i+ v1_l  if  (i+8)   >= 1024:    break  t = struct.unpack_from (' 8s ', data,i)    v1_dp = get_i (t,v1_p)   slcn = slcn + v1_dp   Lists.append ([slcn,v1_dl])   i = i + v1_p   #print ("%x,%x:%x,%x"% (v1_l, V1_P,V1_DL,SLCN) Print ("Runlist (total%d fragments):"%len (lists)) print ("%20s%20s%20s"% ("VCN", "LCN", "Len") for i  In lists:  print ("%20d%20d%20d"% (svcn,i[0],i[1))   svcn += i[1]f.close ()

The following results are performed:

[Email protected]:~/ntfs-5# python3 read_runlist.py mft_source.img

Parameter number or format error!

Command format:

Python3 read_runlist.py <file name> <start bytes> <start lcn> <start vcn>:

File name: The filename containing the runlist to be interpreted

Start bytes: The starting position in the file to interpret the Runlist

Start Lcn:runlist Reference LCN value, if it is a complete runlist, this value should be 0.

Start vcn:runlist The reference VCN value, if it is a runlist without 0x20, the value is mostly 0.

* Return value: A two-dimensional queue that prints the results.

[Email protected]:~/ntfs-5# python3 read_runlist.py mft_source.img 5688 0 0

Runlist (a total of 18 pieces):

VCN LCN LEN

0 32212 1

1 157952 2

3 207115 3

6 244046 3

9 122523 1

10 157991 1

11 170296 3

14 40552 5

19 149853 2

21 122721 2

23 141674 1

24 145783 3

27 158109 3

30 145820 1

31 240236 1

32 154081 1

33 166379 3

36 178711 3

This article is from the "Zhang Yu (Data Recovery)" blog, please be sure to keep this source http://zhangyu.blog.51cto.com/197148/1943606

Python explains the code for NTFS runlist

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Python explains the code for NTFS runlist

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support